Microsoft’s Edge browser has finally joined Mozilla Firefox and Google’s Chrome in supporting a working version of the emerging WebAuthn (Web Authentication) standard that aims to rid the world of passwords once and for all.
All browser makers have been privately working with the WebAuth API for a couple of years but what counts is supporting the W3C Candidate Recommendation (CR) WebAuthn.
Firefox added this from version 60 in May, and Chrome from version 67 a few weeks later, while Microsoft’s is still only part of Windows 10 Insider ‘Redstone 5’ Preview Build 17723 released last week.
This means the wider public won’t get their paws on Edge’s CR WebAuthn until Windows 10 version 1809 in October, or perhaps 1903 due to appear sometime in the first half of 2019.
But as the history of security standards shows, enabling something and people using it are two different things, which might explain why the company has been in no rush with WebAuthn.
But what is WebAuthn anyway? Microsoft’s announcement sums it up quite well:
With Web Authentication, Microsoft Edge users can sign in with their face, fingerprint, PIN, or portable FIDO2 devices, leveraging strong public-key credentials instead of passwords.
So WebAuthn isn’t just another way to log into websites – the key feature is the ability to do this without having to use a password at any point.
Getting rid of passwords is good for all sorts of reasons – mainly that they are easy to phish – but it’s vital that whatever replaces them is better.
The principle behind WebAuthn is simply that tokens (FIDO U2F keys), and biometric systems such as Windows Hello (someone’s face or fingerprint) let people authenticate using cryptographically secure secrets that are very hard or even impossible to steal or lose.
That being true, abolishing secrets that can be stolen – passwords and usernames – becomes logical. At the very worst you’re no more insecure and there’s nothing to remember, change or re-use on lots of sites in a way that supercharges credential stuffing attacks.
As with so many of the security innovations Naked Security covers, this idea isn’t that new but until WebAuthn there was no standard to make it possible across not only browsers but websites too.
One could think of two-factor or multi-factor authentication (where users enter a password along with a token or code) as the first stage of this shakeup. The idea was that once the authentication technologies became more familiar and usability improved, people would feel more confident in abandoning passwords altogether.
Unfortunately, it hasn’t been that simple – only a small minority have taken up 2FA and MFA, perhaps because it seemed like another extra hassle on top of the already annoying password layer.
WebAuthn is like going cold turkey. Passwords just suddenly disappear. To ease the transition, Microsoft is trying to make Windows Hello more mainstream on Windows 10 while Google recently announced that it will start selling its own FIDO U2F token, the Titan, as it bids to popularise the technology.
In the end it might unfold as a generational shift in which younger consumers take to WebAuthn while older heads stick to what they know for longer. However, what we can be sure of with every passing announcement is that WebAuthn is coming sooner rather than later.
Signing in with password / UserID allows me multiple passwords AND multiple userIDs.
If I “sign in with my face”, I only have one face (honest); does this may it easier for data aggregators to correlate my activity on multiple websites – using my hashed/salted/encrypted face as the ID?
we need to do something sooner or later to get rid of this PW Hell LOL! 😉
And who stores those faces/fingerprints? MSoft? google? ISPs? the page you’re logging onto?
Do I need a separate fob(s) if I use multiple browsers (I regularly use at least three)?
Once your cryptographic face has been compromised, how do you get it reset?
Only a public key and ID is saved by the website you log into. Fingerprints stay on just your device.
Only one device/fob will be required for everything, it can store many credentials (icluding ID, private key, and domain).
I think you can use the same credential on any browser on the same device. Since browsers don’t know the device you are using, if you are going between devices(USB key/ phone fingerprint) I don’t know how they will choose which to log you in with if you have registered more than one.
Seriously, was this article written by a teenager? Yay let’s get rid of passwords altogether and put all our sensitive data in the hands of tech giants because they’ve proven themselves to be so trustworthy with it! And wtf happens when the decrypter (tool or software) is broken or hacked and everyone has my fingerprint. Am I supposed to grow new fingers??
Most teenagers I know are pretty savvy about technology so I’ll take that as a compliment!
Devices use your device authenticator to create a registration and only send an ID and publick key to the website. Faces/fingerprints don’t get sent over the internet. There is no way to correlate what face is being used based on that information.
mvndaai understood but a) who makes the determination that the match is correct and how is that managed and b) that info is stored where exactly and by whom (who wrote the software ) and c) we are sure they never share that information (hahaha). Data is our currency. And what happens when someone else has my fingerprint then? Apparently (I’m not a cop, just play one on the internet) faking a fingerprint isn’t all that hard.
Of course it does. The money these days is in data.
“If I “sign in with my face”, I only have one face (honest); does this may it easier for data aggregators to correlate my activity on multiple websites – using my hashed/salted/encrypted face as the ID?”
I think that is one of the underlying reasons 2FA has been such a hard sell – not everyone is willing to give up their private mobile phone number “for security purposes” when they know there is a high probability it will also be used for tracking purposes. Even before Yahoo offered 2FA they hounded users to give up their cell phone number for “account recovery” purposes. There is nothing wrong with my landline number for “account recovery” purposes but they wanted a cell number – because that represents the keys to the kingdom for tracking. I’m all for the use of hardware tokens; I paid for a Yubikey that I can only use on PayPal because the VIP protocol isn’t supported on other sites I use. I would happily buy a newer one if more sites would accept it. But I don’t give my cell number to very many people and certainly not to marketers. I’m hoping WebAuthn solves the problem but I don’t believe it will until the marketers figure out a way to monetize it
Getting rid of passwords also means that site operators may need to rethink how they provide account access and delegation. Consider a banking or brokerage website where a person may write their credentials on paper and stuff it in a firebox so their family can have easy access in the event that something happens to them. Or cases where an account is “shared”, but not officially such as a cell phone plan in one spouse’s name but both use and access it. Regardless of whether those are the best examples, there are clearly cases where more than one person uses the same credentials. If your password is your face, then scenarios such as “up to 4 devices can stream from your Netflix account simultaneously” have to be retooled. Accounts must provide the ability for access from multiple credentials, which has generally not been the case up to now.
What about logging in to configure my virgin internet modem before it has ever made an internet connection. Or my Enphase IOT that reports on my Solar panels. Or my personal cloud device. They all need real passwords or keys of some kind.
And as I use a PC tower with Windows 10, I have no camera and avoid turning the sound on unless I really-really have to hear something. I got rid of Cortana long ago so nobody to tak to either.
I was also under the impression that a camera is a point of failure that can aid an invasion of privacy.
Hey I grew up in ther real old days when I had to use a Teletypewriter to communicate with a mainframe. And then lass versions of the same without the paper. That does beat punch cards.
At least the “forgot password” has a reasonably standard solution. Where is the standard solution for “lost fob” ?
I use Firefox and Chrome on windows 8.1 laptop. But I don’t have a smartphone, smartphone and iPhones require data plan to work properly in where I live.
I can understand that people want to keep things to themselves and separate from their personal account, not disclose their political ideologies, gaming, certain preferences.
How long would passwords be optional? I don’t want to lose my accounts, if Microsoft, Google and other web browsers are smart, it would be optional, with gradual adoption. The idea of cold turkey would lock out some users who are on Windows 7, 8.1, different flavours of Linux.
It’s going to be nightmare for some, the whole point of having an Internet is to make things easier. I know people who don’t have smartphones, iPhones and smart devices. I use a Keepass password manager on my laptop. It made my digital life easier, and changing passwords when needed.
…(someone’s face or fingerprint) let people authenticate using cryptographically secure secrets that are very hard or even impossible to steal
Doesn’t this contradict the stories of thick-printed fingertips and mugshots circumventing a given device’s defenses?
Also, if I’ll eventually sign into Gmail or AWS with my face (their loss)… what if I lack a webcam at each location I expect to work? How much of a factor will a camera’s quality be? What about low light situations or camera driver failures–will they fall back to passwds?
Reading NakedSecurity has made me wary of all biometric authentication–even it’s not as amusing as watching my inebriated buddy get comically pissed as he leers repeatedly into his wife’s phone before realizing the one in his pocket will far more likely be receptive to his advances.
Signing in with your face sounds like a new use for deepfakes.
This upcoming feature will cut off the majority of users who don’t have smartphones and iPhones. It would be nice to have my bases covered, registering more than one security key. My concern about passwordless log in. What happens when you lose your device, or face and fingerprints change? Is there way to reset the bio-metrics after your face and fingerprints are all ready registered. Are there any back up solutions of getting back in your accounts rather than using mobile device such as smartphone and iPhone?
anything that can go wrong will go wrong.
I would recommend using more than two security keys and register all of your ten fingerprints. Just in case you accidentally cut your finger while slicing vegetables or paper cut. It’s common sense to have all of your bases covered.
I don’t think WebAuthn will become mainstream as long as there’s a major browser without support for it. (Yes, you know exactly what fruit-named company I’m talking about here.)
Totally off topic — Are you aware your Twitter link at the bottom doesn’t lead to your Twitter feed?
I just opened the author’s link and the Naked Security link (in the Twitter app) and they came out fine… which link were you referring to? I used the ones right after the text with the follower counts next to them.
What about those of us who do not have mobile phones?? HAve no plans to get one as my landline is MUCH cheaper than those phones and the service. So what will we do????